Posted
by
timothy
on Sunday March 28, 2010 @05:50AM
from the need-a-new-source-of-ginseng dept.

itwbennett writes "After a networking error first reported on Wednesday last week caused computers in Chile and the US to come under the control of a system that censors the Internet in China, the 'root DNS server associated with the networking problems has been disconnected from the Internet,' writes Robert McMillan. The server's operator, Netnod, has 'withdrawn route announcements' made by the server, according to company CEO Kurt Lindqvist."

I have a lower UID than you and I don't know what a root DNS server does. I do probably know way more physics, mathematics, and philosophy than you so can it. Especially if you're not going to explain.

Simply put, a root DNS server serves one or more root zones such as.com,.org,.cn, etc.

DNS is hierarchical. When you look up a hostname such as "www.google.com", your computer goes to a DNS server. If it happens to know the IP number for that hostname, it returns it. Otherwise, it asks a root server.

The root server, in turn, looks for "google.com" in a giant file (well, I think it's actually a database now) called a root zone and figures out which servers know how to return IP information for that doma

When you ask the root servers (such as a.root-servers.net) for "what is IP for www.google.com", it will respond "go ask a.gtld-servers.net". (each domain has a different server, for instance www.google.co.uk will send you to ns1.nic.uk). Asking a.gtld-servers.net will respond "go ask ns1.google.com", which will then respond with the IP of the domain, which is your answer. The chain could go further if you had "some.very.long.string.of.dots.google.com" and if each one of those nested subdomains were delegated to another DNS server (and were not contained in the zone file for "google.com").

If the answer is already cached by the DNS server and it is still within the TTL, it will just respond with the IP.

This is how a DNS caching resolver does it, your workstation is going to be configured with one of these caching resolvers. When you ask a caching resolver, it will do all these things in the background on these server, and just return the client the final answer

Next, your local DNS server (the one your computer asked) recursively asks ns1.google.com for the IP number of "www.google.com".

Please don't misuse "recursively" like this. It makes the rest of your otherwise intelligent post sound stupid. I think you meant "iteratively" rather than "recursively". A recursive DNS quey goes like this: 1) You ask your local DNS, 2) Your local DNS asks another root (or possibly non-root) DNS, 3) the other DNS asks another 4) the "another" asks "another" 5) Finally, somewhere in the chain, it returns an answer "recursively" through the chain of requests from DNS server to another to you. Normally, DNS l

The request your DNS server sends to "ns1.google.com" may be iterative relative to the request to the root server, but it is still recursive relative to the original request. Thus, my original statement was completely correct. You just misread it.

Also, maybe in some mega ISPs or some insanely complex intranet environment, you might have a DNS server that queries something other than the root server, but I suspect you could count all such installations worldwide on one hand if you used base 2. In practice, the only servers that support recursion are client-facing servers at ISPs.

And the root servers never recurse. They didn't even recurse back in the mid 1990s when I was first learning this stuff. As best I could determine, the last root server ha

I have a higher UID than you, though I do know what a root DNS server is. I also bet that I was using a computer before your Father kissed your Mother for the first time. I also probably know way more physics & maths than you. Philosophy is for girls, so you win on that one.

I don't know what a root DNS server does. I do probably know way more physics, mathematics, and philosophy than you

That would be wonderful if you were on a "Philosophy news" website.../. is (or at least used-to-be) fairly tolerant of noobs with gaps in their knowledge, but if you don't have a decent background in tech, I don't see why you're here.

A root server, serves the DNS querys for a global domain such as.com. how it works is when your computer asks for the addresses for slashdot.org, your ISP probably knows the address because someone else has asked, if not your ISP asks the next higher level which is more likely to know because the answer to more queries. Eventually it get to the root server if the intermediate steps fail. As the answering server gets farther up the longer it takes for you to get the answer. Each query answered has a TTL, t

So... "like a great many voices cried out in terror before being suddenly silenced."

But who is Alderaan here, exactly? Isn't China supposed to be The Empire, that just wants its Order? I thought GOOG was the eViL global empire awhile ago but now the rebels control the Death Star? This all so very confusing.

"doesn't want to export rare earths, but loves to export lead and melamine"

Maybe it's time to try some reverse psychology. If we can somehow convince them that we need lead and melamine for our latest high-tech products, but would prefer they keep all that awful neodymium to themselves, I'm sure we can fix the imbalance.

So... "like a great many voices cried out in terror before being suddenly silenced."

But who is Alderaan here, exactly? Isn't China supposed to be The Empire, that just wants its Order? I thought GOOG was the eViL global empire awhile ago but now the rebels control the Death Star? This all so very confusing.

From www.bgp4.as [bgp4.as]: The Border Gateway Protocol (BGP) is the routing protocol used to exchange routing information across the Internet. It makes it possible for ISPs to connect to each other and for end-users to connect to more than one ISP. BGP is the only protocol that is designed to deal with a network of the Internet's size, and the only protocol that can deal well with having multiple connections to unrelated routing domains.

The artilce includes a sample of Twitter tweets, all in Chinese. Unfortunately, just entering the Twitter search URL into Google translator doesn't seem to work, as the "Realtime results for Netnod" (http://twitter.com/search?q=Netnod [twitter.com]) are apparently served via JSON or something. Anyone got any ideas?

This should never have been allowed to happen in the first place, and when it had, it shouldn't have been allowed to persist for a few days before being made public and taking action.

Well i think this unreasonably harsh. No one had ever seen the great firewall of china affect DNS traffic like this in the past. So no one (not even you) was suggesting that when they set up a root DNS server in Beijing, that it would effectively send out false answers.

Now, anyone who controls a part of the network you rely on can launch a man-in-the-middle attack, which is what happened here. So to suggest that this should never have been allowed to happen, you would have to be using strong cryptography in some way. DNS has never had that mechanism--but it will soon, cause DNSSEC is coming along.The root servers are deploying it right now, and so are the other Top-level-domains.

Also, as soon as the I-root server operators realized this problem was occurring, and was outside of their control, they disabled the server. Why do you think that they sat on this problem for a few days, doing nothing about it?

"Most favored" seems to be ineffective now days as far as holding their crap back. Maybe it's time to cut them off at their short little knees economically before their expansionist military catches up with their ability to make lead-laden rubber dog crap.

I really don't understand where this china-hate is coming from. What did they ever do to you? Let's cut 1.3 billion people off the internet because someone IN ANOTHER COUNTRY WHO IS NOT CHINESE misconfigured a server. Yeah that makes total sense.

I think his point is that if China did not modify the responses in first place, this kind of problem would have had absolutely no negative consequences for users until being fixed (since all the servers should return consistent data). I don't hate China myself, but it isn't incorrect to resent those who are intentionally breaking the DNS rather than those who simply made a mistake (or ill-advised decision).

I know it's easy to have the "nuke them from space" policy but honestly the Chinese government is just so fucked up they don't have the appropriate law enforcement or policies to police it. Then you've also probably got some level of government that's involved in a lot of the nasty shit going on. Yes, I realize most spam comes from the US. I don't know about you but the several thousand failed login attempts I see a day aren't coming from ARIN address space. It's all APNIC address space. And it's Chine

A better solution would be to just block that root server. If China doesn't want to play along nicely, well, they can turn into their own mega-LAN all they want.

In fact, I'd do one better take ALL of their internet access outside of China offline for them - just flat out cut the connection so that their entire country is in the dark. No news, no information, no business, no nothing. Not even their government and military has any information(aside from maybe a modem or two or satellite new feeds I guess)

All of the articles I've read about this seem to confuse DNS and BGP.
My guess is that the IP of one of the root dns servers was being "hijacked" by the Chinese by announcing a route to it and that route was being picked up externally so some people thinking they were using the real dns root were being diverted a chinese root server giving out different IP addresses for lookups on these domains.
Does that make sense?

No, my understanding is that BGP is used to advertise the IP of the server - they removed the route advertisement to shut the server off from the Internet but BGP wasn't actually causing the problem or compromised.

It sounds like traffic OUT of the server was being modified in some way, I would doubt the data stored on the server had been modified as that probably flows over a secure connection but actual responses are public communications and the Chinese systems are likely filtering/modifying those so that

Something like that.. Netnod apparently claims that the data on their server is accurate, so either China was hijacking the connection generally, or they were filtering the results being returned. This wasn't a problem until the server (and it's hacked data stream) started being accessed by machines outside of China due to a (silly but otherwise benign) routing change.

So, the real I root server sent correct answers to the querying computer in Chile. But, as the DNS packet travelled across the Chinese network, it was modified, and so the packet received by the Chilean network was false, returning a fake IP address for some domains, like 'facebook.com'.

This is called a 'man-in-the-middle attack'. The Chinese network, in the middle, is modifying packets.

Once the I root server operators realized this was happening, they stopped the BGP route announcement from the I root server node in Beijing, so that queries to i.root-servers.net would not be answered in Beijing, but instead by the other i-root nodes. There are 34 currently, so no problems with load would occur shutting off one node.

What amazes me about Chinese censorship is that rather than show that the opposite is true, the Chinese government causes those that disagree to not be heard; so much for those in command whose culture values wisdom and patience. Its like watching Sarah Palin [youtube.com] read her notes on her hand on topics that my 14 year old daughter could debate either Pro or Con while trying desperately not to look too bored.

so much for those in command whose culture values wisdom and patience.

Chinese culture values wisdom and patience the way Canadian culture values lacrosse. If you didn't know anything about what Canadians actually do, but just read the official literature, you'd think lacrosse was a big deal. It's our national sport! Officially.

If instead you behaved like an scientist, and looked at the empirical reality of what we do, you'd find this other game called hockey... And then there's this "curling" stuff...

If you look at actual Chinese history, including recent history, you'll

Actually, that does explain a lot of things - all through march I was having issues with Twitter on my Virgin connection yet I could ssh home to my Internode connection and twidge to my hearts content... I complained but they couldn't see a problem (they probably weren't using their own dns servers)

I blame American and Chile ISP's.Why on earth would you query the root server on the other side of the world, especially in an ass backwards country like China when there are plenty of good servers here?Shouldn't you query the closest available server, not the furthest?

Basically, your ideas are right. The idea is to query the closest server, for best performance. DNS data is very small, so there's not much financial concern about transmitting data across the world (which happens all the time on the internet)

Anyway, the logical routing of the internet doesn't always match the physical world. This is routine, and not a problem until DNS traffic crosses the great firewall of China, and is modified, which is what happened here.

Since this, route announcements have changed, and the Beijing server is not being queried.

But you are also correct about ISPs. ISPs can control (if they are good) which root servers are going to be queried from their network.

My overall point is that everything was operating routinely and correctly, until a new kind of DNS problem, not observed in the wild ever before, started happening. It's hard to expect the ISPs to prevent a problem they never knew would occur.